Information Disclosure

security

Information Disclosure

Website reveals sensitive information to users, such as:

  • Revealing the names of hidden directories, their structure, and their contents via a robots.txt file or directory listing

  • Providing access to source code files via temporary backups

  • Explicitly mentioning database table or column names in error messages

  • Unnecessarily exposing highly sensitive information, such as credit card details

  • Hard-coding API keys, IP addresses, database credentials, and so on in the source code

  • Hinting at the existence or absence of resources, usernames, and so on via subtle differences in application behavior

  • private, personal information, such as personal messages, financial data, health records, geographic location, or contact details

  • system status and environment, such as the operating system and installed packages

  • business secrets and intellectual property

  • network status and configuration

  • the product’s own code or internal state

  • metadata, e.g. logging of connections or message headers

  • indirect information, such as a discrepancy between two internal operations that can be observed by an outsider

  • the product’s own users

  • people or organizations whose information is created or used by the product, even if they are not direct product users

  • the product’s administrators, including the admins of the system(s) and/or networks on which the product operates

  • the developer

Descriptions

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Reasons

  • Failure to remove internal content from public content. For example, developer comments in markup are sometimes visible to users in the production environment.

  • Insecure configuration of the website and related technologies. For example, failing to disable debugging and diagnostic features can sometimes provide attackers with useful tools to help them obtain sensitive information. Default configurations can also leave websites vulnerable, for example, by displaying overly verbose error messages.

  • Flawed design and behavior of the application. For example, if a website returns distinct responses when different error states occur, this can also allow attackers to enumerate sensitive data, such as valid user credentials

Testing

  • some directories like robots.txt, sitemap.xml
  • sensitive HTML comments, subdirectory disclosure
  • pay attention to error message
  • ~ backup file, .bak backup file
  • .git file
  • .svn folder

References